A Comparative Study and Implementation of Key Derivation Functions Standardized by NIST and IEEE

Since many applications and services require pseudorandom numbers (PRNs), it is feasible to generate specific PRNs under given key values and input messages using Key Derivation Functions (KDFs). These KDFs are primarily constructed based on Message Authentication Codes (MACs), where the MAC serves as a core component in the generation of pseudorandom numbers. In light of this, the study first examines three MAC algorithms defined by the National Institute of Standards and Technology (NIST): the Keyed-Hash Message Authentication Code (HMAC), the Cipher-based Message Authentication Code (CMAC), and the Keccak-based Message Authentication Code (KMAC). Subsequently, the study explores KDFs based on these MACs, including the Counter Mode KDF, the KMAC-based KDF, and the KDF defined in IEEE 1609.2.1. In experiments, the computation times for generating MACs and the corresponding pseudorandom numbers using each KDF are evaluated. The study further analyzes the advantages, disadvantages, and applicable scenarios for each method. Experimental results indicate that the CMAC and the CMAC-based KDF exhibit the shortest computation times, averaging approximately 0.007 milliseconds and 0.014 milliseconds, respectively.

💡 Research Summary

The paper presents a systematic comparison and implementation of key derivation functions (KDFs) standardized by NIST and IEEE, focusing on their construction from message authentication codes (MACs) and their performance in generating pseudorandom numbers (PRNs). The authors first review three MAC algorithms defined by NIST: HMAC (based on SHA‑2 or SHA‑3 hash functions), CMAC (based on the AES block cipher), and KMAC (based on the Keccak sponge construction). Detailed algorithmic descriptions, including key padding, inner/outer padding for HMAC, sub‑key generation and CBC‑MAC chaining for CMAC, and cSHAKE‑based domain separation for KMAC, are provided with accompanying formulas and flow diagrams.

Building on these MACs, three NIST‑specified KDFs are examined: the counter‑mode KDF (SP 800‑108), a KMAC‑based KDF (also defined in SP 800‑108), and the IEEE 1609.2.1 KDF designed for vehicular communication. The counter‑mode KDF iteratively invokes a pseudorandom function (PRF) – either HMAC, CMAC, or KMAC – with a counter, label, and context to produce the required output length. The KMAC‑based KDF follows the same structure but uses KMAC as the PRF, with a domain string “KDF”. The IEEE KDF employs AES‑128 in ECB mode, combines a 4‑byte iValue and jValue as indices, and adds a simple XOR with a constant padding (0x00 for signing, 0x11 for encryption). The authors note that ECB mode is a known weakness because it reveals structural patterns.

Experimental evaluation was carried out on a common platform (Intel i7‑10510U, 16 GB RAM, Windows 11, OpenJDK 21, BouncyCastle 1.70) using Java implementations. For MAC generation, 1,000 iterations were timed: HMAC averaged 0.007 ms, CMAC also 0.007 ms, and KMAC 0.015 ms, confirming CMAC’s superior speed due to the efficiency of block‑cipher operations. For PRN generation via KDFs (producing 48‑byte outputs), the CMAC‑based KDF was fastest at 0.014 ms, followed by HMAC‑based KDF (0.021 ms), KMAC‑based KDF (0.038 ms), and the IEEE 1609.2.1 KDF (0.069 ms). The additional XOR step and the use of ECB mode explain the IEEE KDF’s higher latency.

The discussion evaluates each construction from three perspectives:

1. Performance – CMAC‑based KDF offers the lowest latency, making it attractive for resource‑constrained or high‑throughput applications. KMAC, while slower, provides flexibility through variable‑length output and domain separation.

2. Security – CMAC inherits the proven security of AES‑128; KMAC benefits from Keccak’s resistance to collision and pre‑image attacks. HMAC’s security depends on the underlying hash; SHA‑2 remains robust, but a transition to SHA‑3 would improve quantum‑resistance. All three are considered resistant to known quantum attacks because they are symmetric primitives.

3. Implementation Concerns – The IEEE 1609.2.1 KDF’s reliance on ECB mode is a notable weakness; pattern leakage could be exploited in vehicular networks. Moreover, the extra XOR with public indices adds limited security value. The authors suggest replacing ECB with CBC or CTR mode while retaining the overall structure.

In conclusion, the CMAC‑based counter‑mode KDF emerges as the most efficient and secure choice for general use, while KMAC‑based KDF is a viable alternative when variable output length or future‑proofing against quantum threats is desired. For vehicular communication, the paper recommends adopting the NIST counter‑mode KDF (with AES‑CBC/CTR) instead of the current IEEE specification to mitigate ECB‑related risks. Future work includes exploring SHA‑3‑based HMAC, hardware‑accelerated KMAC implementations, and formal quantum‑security analyses.